In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):

1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed.2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1)3. A picture + phrase verification while logging in with (alike Bank of America etc.)

In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):

1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed.2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1)3. A picture + phrase verification while logging in with (alike Bank of America etc.)

Any other suggestions welcome.

I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.

I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.

That's scary!

May be piuk can say something - if this has any truth - any withdraw must get suspended until things are resolved. At least piuk should advise people to pull out coins till things get resolved

From what I understand the problem is with rooted phones. For me, I have uninstalled the app completely and setup another watch-only wallet on BCI. Installed the app again and will handle transactions from bitcoin-qt, I never had a lot in the BCI wallet to begin with, but a theft would be painful anyway, more so, if the reason is known.

Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!

When a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required.

If the browser is perviously recognised by blockchain no authorisation is required. Wallets can still be accessed directly by identifier, which provides 128 bits of entropy and should always be kept secret.

A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem.

I will respond to the above posts shortly, apologies for the delay.

so the question is why did this change all of a sudden...why are browsers that were reconised, now not, and identifiers not put in?? as they were before....this is how they are attacking you something here...

In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):

1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed.2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1)3. A picture + phrase verification while logging in with (alike Bank of America etc.)

Any other suggestions welcome.

I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack. They seem to get the private keys somehow.

I had to reinstall my OS and everything from scratch, and when I set up my wallet as before using the firefox extension, it asks for my identifier, but when given then results in the page reloading, the identifier being blank, and an email sent to me. I click the link in the email, as instructed, but for whatever reason the firefox extension never seems to work or remember the identifier even after I've "allowed" the login attempt.

Improved Fee Handling - The Fee policy set in the web interface will now be honoured in the android app

Second Password will be cleared after a transaction is sent

Fix Pairing Issues

How PIN protection works

1) When the PIN is created a unique secret is generated and stored on the server.2) The users password is then encrypted with the new secret and saved on the device.3) When restoring the wallet if the correct PIN is provided the server responds with the secret allowing the device to decrypt the password.4) If the PIN is entered incorrectly 4 times the key is removed from the server and the main password will need to be re-entered.

Prevents malicious app on rooted devices from reading the password directly from app data however more sophisticated malware that reads the app memory or keyloggers will still be possible.